Why is online fraud a persistent and growing problem across industries, despite the dozens of vendors who have spent years claiming to solve it?
Any seasoned risk-management or anti-fraud team will say that when it comes to fraud mitigation, there’s no silver bullet; that after experiencing shortcomings of their tools they’ve come to realize no tool is a panacea.
That’s because online fraud at scale is an incredibly complex problem to solve, and often grows more complex as an organization matures. Perpetrators of fraud are also complex in their methods and have strong incentives to break many commonly relied on outsourced defenses offered in this space.
Outsourced risk models are built atop massive, global data sets collected across hundreds of applications and millions of users. And while data aggregated at such volume can help determine probabilities of common fraud typologies, high-cost fraud incidents continue to happen year after year.
What’s missing from these defenses is a nuanced ability to characterize and classify attacks, their impacts, and the behavioral context under which they occur. This capability for labeling comes when a company can collect granular behavioral signals they need on their users and their interactions, and use this context to inform risk model development.
Without this data as the foundation of risk modeling, outsourced risk modeling is limited to detecting context agnostic fraud cases, missing most of the target attacks.
In this post, we’ll detail those limitations, and share how augmenting tools with in-house risk management ultimately provides the greatest degree of extensibility in handling fraud cases as a business matures and its needs become more complex.
Uses for outsourced fraud modeling
Outsourced fraud models have their uses when immediacy is important and fraud cases are simplistic.
When a company begins to see the early instances of recurring fraud cases, plugging the losses is often prioritized over developing a broad, long-term strategic function in risk management.
In these circumstances, outsourced models can be ideal:
When there’s a need for immediacy
Data needed is collected via APIs and run through a model that has previously been used in production.
Apart from unexpected variables in integration or training periods, outsourced models can be a stop-gap and are a fast way to detect the bulk of common fraud cases.
When resources are limited
Companies allocate their resources according to the impacts fraud has on their organization, relative to the impacts of other initiatives (product releases, customer acquisition, etc.).
When companies do not have the means to develop a risk strategy involving tooling, headcount, and roadmap, outsourcing that function can help with focusing company resources on key priorities.
Limitations of outsourced risk management
Adopting outsourced risk tools might be a measured reaction to a latent fraud problem, though longer-term, falls short in its ability to tailor models around complex detection needs as a company matures.
These gaps are exposed when a company begins to face a more diverse set of fraud typologies in larger volumes.
Outsourced risk models are built on multitudes of data across numerous sources, any of which may be highly relevant or completely irrelevant to a company-specific instance of fraud. This leaves those models detecting only the lowest common denominator fraud typologies that global data aggregating allows.
Requires ongoing human training
Many outsourced fraud tools have a distinct “review” classification for behaviors that aren’t clearly labeled by the model as fraud or legitimate, which without time-intensive human review on a case by case basis, muddy the efficacy of the models and approach.
Limited context and control
Outsourced fraud models are designed to abstract away minutiae involved in risk classification.
But with limited context, teams who need to know what signals, behaviors, and flags contributed to a score are blocked from knowing how manual cases could be labeled better, how certain users should be treated, and where models are falling short; three expensive problems in their own rights.
There is also little room for customization in outsourced models. They can’t be refined if internal teams discover common behavioral trends outside of data gathered/inputted into the outsourced model, as an example.
In-house risk management: Strategic vs. Simplistic
Once a company decides risk management is a fundamental component of their business as a key enabler for growth and profitability, they are far better suited to build that function as an iterative, strategic value driver for the company, rather than a string of reactionary, “good enough for now” measures. The most effective way to do this is to bring the function in-house.
The challenge comes when that shift toward long-term thinking is made too late. Most companies realize that outsourced risk models get them part of the way only after incident costs balloon far past manageable levels.
If a company can acquire the right kinds of granular behavioral data on their own users, and use that data as the foundation for in-house risk modeling and management, the advantages can be profound.
Models tuned for any fraud type
Every model needs adjustment given every model eventually breaks. When risk modeling is designed and implemented in-house using first-party customer data as the source of truth, teams can build tremendously flexible predictive models, catch more specialized types of fraud, incorporate more data types and tune them without needing to work through an intermediary.
This means in-house teams can reach their desired levels of model efficacy across more fraud typologies far faster than other teams reliant on outsourced models. And since first-party behavioral data forms the core of the risk data ecosystem, models can be built with a highly relevant, highly specific context.
Full control over costs and development
Companies that opt for in-house management will be far less limited by models, roadmaps, and resources of other vendors compared to those reliant on them. Risk management as a strategic company function requires the same, if not more resource devotion as a new product launch.
Key decisions like staff qualifications, feature prioritization, costs, and timelines are all kept under the same roof with an in-house approach. With this option, a company’s fraud prevention goals can be defined and reached without external approval or collaboration; very important when a company begins to see the fraud typologies they experience diversify.
Minimal data exposure
Complying with data privacy regulations has become a top priority for virtually any company operating online today. As the internet broadly moves toward a more private and data-protected future, there is a struggle to reconcile how data sharing via outsourced tooling affects a company’s ability to stay within privacy laws.
In-house management remediates much of this risk, especially when data collection is focused on first-party behavioral data. Data collected can be done so with appropriate consent, stored how a company sees fit and within their own legal, digital, and physical frameworks, and not exposed to any other unnecessary third-party entity.
Contrast this with outsourced models whose primary utility is derived from third-party data gathering, data sharing, and “network effects” across countless users and apps.
Future-proofed risk management
The decision to use approaches, tools, or models for risk management shouldn’t be viewed as a binary one. There are circumstances where one method or both can work.
Online fraud is a complex and ever-changing environment despite the industry’s attempts to simplify it with integrated solutions.
For those companies reaching the tail end of what outsourced tools can detect, bringing risk control under their own roofs with the right technology, teams and data sets can completely change how they protect businesses in the future.